Log In

Cisco's scramble exposes uncomfortable truths about US cyber defence

Too much focus on offense?

When WikiLeaks founder Julian Assange disclosed earlier this month that his anti-secrecy group had obtained CIA tools for hacking into technology products made by US companies, security engineers at Cisco swung into action.

The WikiLeaks documents described how the Central Intelligence Agency had learned more than a year ago how to exploit flaws in Cisco's widely used switches to enable eavesdropping.

Senior Cisco managers immediately reassigned staff from other projects to figure out how the CIA hacking tricks worked, so they could help customers patch their systems and prevent criminal hackers or spies from using the same methods, three employees told Reuters on condition of anonymity.

The Cisco engineers worked around the clock for days to analyse the means of attack, create fixes, and craft a stopgap warning about a security risk affecting more than 300 different products, said the employees, who had direct knowledge of the effort.

That a major US company had to rely on WikiLeaks to learn about security problems well-known to US intelligence agencies underscores concerns expressed by dozens of current and former US intelligence and security officials about the government's approach to cybersecurity.

That policy overwhelmingly emphasises offensive cyber security capabilities over defensive measures, these people told Reuters, even as an increasing number of US organisations have been hit by hacks attributed to foreign governments.

Larry Pfeiffer, a former senior director of the White House Situation Room in the Obama administration, said now that others were catching up to the United States in their cyber capabilities, "maybe it is time to take a pause and fully consider the ramifications of what we’re doing".

US intelligence agencies blamed Russia for the hack of the Democratic National Committee during the 2016 election. Nation-states are also believed to be behind the 2014 hack of Sony Pictures Entertainment and the 2015 breach of the US Government's Office of Personnel Management.

CIA spokeswoman Heather Fritz Horniak declined to comment on the Cisco case, but said it was the agency's "job to be innovative, cutting-edge, and the first line of defence in protecting this country from enemies abroad".

The Office of the Director of National Intelligence, which oversees the CIA and NSA, referred questions to the White House, which declined to comment.

Across the federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters.

President Donald Trump’s budget proposal would put about US$1.5 billion into cyber security defence at the Department of Homeland Security (DHS). Private industry and the military also spend money to protect themselves.

But the secret part of the US intelligence budget alone totaled about US$50 billion annually as of 2013, documents leaked by NSA contractor Edward Snowden show. Just 8 percent of that figure went toward “enhanced cyber security,” while 72 percent was dedicated to collecting strategic intelligence and fighting violent extremism.

Departing NSA deputy director Rick Ledgett confirmed that 90 percent of government cyber spending was on offensive efforts, and agreed it was lopsided.

"It's actually something we're trying to address" with more appropriations in the military budget, Ledgett said.

"As the cyber threat rises, the need for more and better cyber defence and information assurance is increasing as well."

The long-standing emphasis on offense stems in part from the mission of the NSA, which has the most advanced cyber capabilities of any US agency.

It is responsible for the collection of intelligence overseas and also for helping defend government systems. It mainly aids US companies indirectly, by assisting other agencies.

“I absolutely think we should be placing significantly more effort on the defence, particularly in light of where we are with exponential growth in threats and capabilities and intentions," said Debora Plunkett, who headed the NSA’s defensive mission from 2010 to 2014.

Government role

How big a role the government should play in defending the private sector remains a matter of debate.

Former military and intelligence leaders such as ex-NSA director Keith Alexander and former Secretary of Defense Ashton Carter say that US companies and other institutions cannot be solely responsible for defending themselves against the likes of Russia, China, North Korea and Iran.

For tech companies, the government's approach is frustrating, executives and engineers say.

Sophisticated hacking campaigns typically rely on flaws in computer products. When the NSA or CIA find such flaws, under current policies they often choose to keep them for offensive attacks, rather than tell the companies.

In the case of Cisco, the company said the CIA did not inform the company after the agency learned late last year that information about the hacking tools had been leaked.

“Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found, so we can fix them and notify customers,” company spokeswoman Yvonne Malmgren said.

Side by side

A recent reorganisation at the NSA, known as NSA21, eliminated the branch that was explicitly responsible for defence, the information assurance directorate (IAD), the largest cyber defence workforce in the government.

Its mission has now been combined with the dominant force in the agency, signals intelligence, in a broad operations division.

Top NSA officials, including director Mike Rogers, argue that it is better to have offensive and defensive specialists working side by side.

Other NSA and White House veterans contend that perfect defence is impossible and therefore more resources should be poured into penetrating enemy networks - both to head off attacks and to determine their origin.

Curtis Dukes, the last head of IAD, said after retiring last month that he feared defence would get even less attention in a structure where it does not have a leader with a direct line to the NSA director.

“It’s incumbent on the NSA to say 'this is an important mission'," Dukes said.

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.